Extending VM disk

Consider the following situation: a CentOS 6.2 host (this can also be Fedora or RHEL for that matter) using KVM to run virtual machines (VM). The host uses the Logical Volume Manager (LVM) as storage to create disks for the VMs. Now one of the machines needs more disk space then was originally envisioned and thus the space must be extended. The guest system in turn is also running CentOS 6.2 and itself using LVM to setup its storage.

So we have the following entities to deal with:Host: The physical machine running CentOS 6.2 and KVM.Guest: Virtual machine running in KVM.vg_host/lv_vm: The logical volume on the host system which constitutes the disk drive of the Guest./dev/vda2: The second partition on the first virtio disk in the Guest. It contains the only physical volume used on the Guest.vg_vm: The volume group on the Guest where the only physical volume is /dev/vda2.vg_vm/lv_root: The logical volume in the Guest volume group which facilitates the root of Guest's filesystem.

To keep things simple we assume that there is only a single mount point for the Guest, i.e. /usr etc. are not split off onto own partitions or logical volumes. Replace vg_host, lv_vm, and vg_vm with the actual values from your system. vgdisplay and lvdisplay can help you to find out about it.

So the following steps are necessary to get more disk space into the VM.

On Host: Extend vg_host/lv_vm

On Guest Extend /dev/vda2 partition

On Guest Extend /dev/vda2 physical volume

On Guest Extend vg_vm/lv_root logical volume

On Guest Extend vg_vm/lv_root file system

Therefore, execute the following steps.

0. Stop the VM:

virsh shutdown VM

1. On Host: Extend vg_host/lv_vm: this code extends by 10GB, change as appropriate, make sure there is enough free space left in the volume group.

lvresize -L+10G vg_host/lv_vm

2. On Guest Extend /dev/vda2 partition: This is critical, take special care! It is important to choose the proper starting cylinder. The suggested start might be wrong, therefore first print the current start and keep it. Sorry this is the German output, but you should be able to match it properly.

The long road to Kerberos/LDAP/NFSv4 and a shortcut

Recently we got a new server at university. It will replace the current file and authentication server which uses NIS and NFSv3. It provides us with a good opportunity to upgrade to something more secure and efficient. So I took on the journey to setup OpenLDAP as user directory, Kerberos for authentication, and NFSv4 for file sharing. But the way took a little time, only to find out later a shortcut which makes it almost a piece of cake. The long way still provides insightful information, therefore it's still useful to try it do-it-yourself style first.

Rather than writing yet another howto, I will link to documents that I used during the initial setup. The most relevant source is the Kerberos/LDAP/NFSv4 HOWTO. It describes the way pretty much step by step. If you want to replace NIS like us the Replacing NIS with Kerberos and LDAP HOWTO is a good read. We use CentOS 5.6 on the file server. The most common pitfall to run into then is that the NFS code there only supports weak ciphers. As client we used a Fedora 14 machine, which will only try strong ciphers by default (cf. for example Red Hat/Fedora bug reports #652273 and #573968). First edit /etc/krb5.conf and set allow_weak_crypto = yes in the [libdefaults] section. Then make sure to add -e des-cbc-crc:normal to the ktadd command to export keys to the keytab for the NFS service keys (nfs/host@REALM). It is described in the NFSv4 Kerberos Setup Guide, as well as the mentioned howto, but something to be easily missed and hard to diagnose when new to the system. The NFSv4 Linux FAQ provides some tips for NFS problems. Another document describes common Kerberos issues. When googling the Ubuntu NFSv4 HOWTO frequently comes up, but it does not provide much useful additional information.

Once I had it running I was pointed to FreeIPA. It is an integrated solution that combines the 389 directory server, Kerberos, and the Dogtag Certificate System with nice console administration tools and a helpful WebUI. I went straight for version 2.0.0 for which a new Enterprise Identity Management Guide is currently work in progress. FreeIPA 2.0.0 is not perfect, yet, and I had to report a fewbugs, but it makes the overall process much easier. You still need to allo weak cryptos if CentOS/RHEL 5 is involved by yourself, IPA won't do that automatically for you. If you run into problems that the authentication fails (add -vvvvv as RPC idmapd and gssd/svcgssd flags to see this), wipe out the keys on both server and client and get new ones with the -e des-cbc-crc:normal for the NFS service keys! The nice people behind the project are extremely helpful if you ask nicely via IRC.

Have fun and enjoy secure authentication and encrypted file sharing as we hopefully will once the system is deployed.

Fawkes in Google Summer of Code 2011 with Fedora

The Fedora Robotics SIG has completed the Fedora Robotics Suite, a set of robotics related software packages that are readily available in Fedora Linux. Fawkes is one prominent member of this package set. The original idea also envisioned creating an educational application, where a user would learn step by step to control a robot, then instruct, and finally program it. The project could not be completed due to a developer shortage.

The project has now been proposed as one possible candidate for the Google Summer of Code 2011 with the Fedora Project as mentoring organization. If you are a student with a background in robotics and experience in C++ software development please consider applying for this project. The Fedora Robotics SIG comprises many developers of upstream software projects providing a good way to get in touch with those projects. It will also be a very visible feature of the Fedora Robotics effort providing a good show case for later applications.